This chapter covers the Cloud Maturity Model and Readiness Assessment, essential frameworks for evaluating an organization's cloud adoption progress and preparedness. For the GCDL exam, these concepts appear in roughly 5-8% of questions, primarily under Digital Transformation objective 1.1. You will learn to distinguish maturity levels, identify assessment domains, and map organizational stages to recommended cloud strategies. Mastery of these frameworks is critical because exam scenarios often require you to recommend the next step based on a company's current maturity level.
Jump to a section
Assessing cloud maturity is like evaluating a house before a major renovation. A homeowner first inspects the foundation, electrical wiring, plumbing, and load-bearing walls to determine if the house can support new additions. A crack in the foundation (legacy IT) might require underpinning before adding a second story (cloud migration). The renovation contractor (cloud architect) uses a checklist: Can the electrical panel handle new appliances? Are the pipes galvanized or copper? Similarly, a cloud readiness assessment evaluates current infrastructure, security posture, staff skills, and business processes. Just as a contractor prioritizes structural repairs before cosmetic upgrades, an organization must address foundational gaps—like network bandwidth, identity management, or compliance—before adopting advanced cloud services. Skipping the assessment risks costly rework: a house that collapses under new load or an organization that suffers security breaches due to immature governance. The maturity model then tracks progress from 'Initial' (no renovation plan) through 'Managed' (some improvements) to 'Optimized' (fully modern home). Each level defines specific capabilities, just as building codes specify minimum requirements for each renovation phase. The readiness assessment provides the blueprint, while the maturity model maps the renovation timeline.
What is the Cloud Maturity Model?
The Cloud Maturity Model (CMM) is a structured framework that describes an organization's progression in adopting and leveraging cloud computing. It typically consists of 4-6 stages, from initial experimentation to fully optimized, automated operations. The model helps organizations benchmark their current state, identify gaps, and prioritize investments. The most widely referenced models include the Cloud Maturity Model from the Cloud Security Alliance (CSA) and Google Cloud's own Adoption Framework. The GCDL exam focuses on the general progression and key characteristics of each stage rather than a specific vendor model.
Why a Maturity Model Exists
Cloud adoption is not a binary state—it is a journey. Organizations rarely migrate everything at once. They start with simple lift-and-shift, then gradually refactor, adopt native services, and eventually automate governance. Without a maturity model, teams lack a common language to discuss progress. Executives may declare 'we are in the cloud' while IT struggles with manual security controls. The model provides a roadmap: it defines what 'good' looks like at each stage and the capabilities needed to advance. It also highlights that certain practices (like cost optimization or security automation) become critical only at higher maturity levels.
The Typical Maturity Stages
While specific names vary, most models include these stages:
Initial (Ad Hoc): Cloud is used unofficially by individual teams. There is no central strategy, governance, or cost management. Security is inconsistent. Typically involves one or two projects on a single cloud provider. Key characteristics: no formal cloud budget, no cloud center of excellence (CCoE), manual provisioning, and limited monitoring.
Managed (Consolidated): The organization establishes a central cloud team or CCoE. Basic governance policies exist (e.g., naming conventions, tagging standards). Cost tracking begins. Some automation via scripts or basic Infrastructure as Code (IaC). Multiple projects may exist, but each follows its own approach. Security controls are still largely manual.
Defined (Standardized): Standard operating procedures are documented and enforced. IaC is the norm for new deployments. A landing zone is established with consistent networking, identity, and security baselines. Cost optimization is proactive. Monitoring and alerting are centralized. The organization has a clear cloud strategy aligned with business goals.
Quantitatively Managed (Measured): Metrics drive decisions. Cloud costs are allocated to business units. Performance and security are continuously measured against SLAs. Automated remediation for common issues (e.g., auto-scaling, self-healing). FinOps practices are mature. Capacity planning uses historical data.
Optimizing (Continuous Improvement): The organization leverages advanced capabilities like AI/ML for operations, predictive analytics for capacity, and fully automated governance. Cloud infrastructure is treated as code with immutable deployments. Security is embedded in CI/CD pipelines (DevSecOps). The organization contributes back to the community (e.g., open-source tools).
Readiness Assessment Overview
A cloud readiness assessment evaluates an organization's ability to adopt cloud computing. It typically covers six domains:
Strategy & Governance: Is there a clear cloud strategy? Are there defined roles (e.g., cloud architect, FinOps lead)? Are policies in place for procurement, compliance, and risk management?
People & Skills: Does the organization have the necessary technical skills? Is there a training plan? Are roles changing (e.g., system administrators learning DevOps)?
Operations & Processes: Are ITIL processes adapted for cloud? Is there a change management process for IaC? Are incident response procedures updated for cloud?
Security & Compliance: Are identity and access management (IAM) controls ready? Is data encryption planned? Are compliance requirements (HIPAA, GDPR, PCI DSS) addressed? Is there a cloud security architecture?
Technology & Architecture: Is the existing infrastructure suitable for migration? Are applications monolithic or microservices? Is there network connectivity to the cloud? Are databases ready for cloud-native options?
Finance & Procurement: Is there a cloud budget? Is there a FinOps capability? Are chargeback/showback mechanisms in place? Are licensing agreements compatible with cloud?
Assessment Methodology
The assessment typically follows these steps:
Stakeholder Interviews: Gather current state from executives, IT leaders, and business unit heads. Identify pain points, goals, and constraints.
Technical Discovery: Inventory existing applications, infrastructure, and data. Map dependencies. Assess network bandwidth, latency, and security posture.
Gap Analysis: Compare current state against target maturity level. Identify missing capabilities in each domain.
Recommendations: Provide a prioritized roadmap for closing gaps. Recommendations may include training, tooling, process changes, or pilot projects.
Maturity Scoring: Assign a maturity level for each domain. Overall maturity is often the lowest level across domains (weakest link).
Key Metrics and Values
Maturity levels: Typically 5 levels (0-4 or 1-5). Level 1 (Initial) to Level 5 (Optimized).
Assessment domains: 6 as above. Some models use 4 (people, process, technology, governance).
Readiness score: Often a percentage (0-100%) or a color-coded status (Red/Amber/Green).
Common thresholds: Organizations below 40% readiness are advised to start with foundational projects (e.g., training, landing zone). Above 70% can consider migration of critical workloads.
How It Interacts with Related Technologies
The maturity model and readiness assessment influence multiple areas:
Migration Strategy: Low maturity suggests lift-and-shift; higher maturity enables re-platforming or refactoring.
Landing Zone Design: Readiness assessment informs landing zone architecture (e.g., network topology, IAM structure).
FinOps Implementation: Maturity level determines whether basic cost tracking or advanced optimization is feasible.
Security Posture: Low maturity may require manual security reviews; high maturity can adopt automated policy enforcement (e.g., Google Cloud's Organization Policies).
DevOps/Agile: Higher maturity correlates with CI/CD adoption, IaC, and DevSecOps practices.
Common Assessment Frameworks
Google Cloud Adoption Framework (GCAF): Four themes (Learn, Lead, Scale, Secure) across four maturity levels (Tactical, Strategic, Transformational, Optimized).
Cloud Security Alliance (CSA) Cloud Control Matrix: Maturity model for cloud security capabilities.
AWS Cloud Adoption Framework (AWS CAF): Six perspectives (Business, People, Governance, Platform, Security, Operations).
Microsoft Cloud Adoption Framework (MS CAF): Five disciplines (Strategy, Plan, Ready, Adopt, Govern, Manage).
Exam Emphasis
The GCDL exam tests your ability to:
Identify the correct maturity level given a scenario description.
Recommend the next step based on assessed readiness gaps.
Distinguish between readiness assessment domains.
Understand that maturity is not always linear—organizations may regress due to acquisitions or budget cuts.
Recognize that readiness assessments should be repeated periodically (e.g., annually) as conditions change.
Define Scope and Objectives
Begin by clarifying the business goals for cloud adoption (e.g., reduce costs, increase agility, enter new markets). Determine which parts of the organization are in scope (entire company, specific business unit, or a single application). Set the target maturity level for the assessment (e.g., Level 3 within 12 months). This step ensures alignment between IT and business stakeholders and prevents scope creep. The assessment team should include representatives from finance, security, operations, and application development.
Conduct Stakeholder Interviews
Interview key stakeholders across all six domains: executives (strategy), IT managers (operations), security officers (compliance), developers (technology), finance (procurement), and HR (people). Use structured questionnaires to gather current practices, pain points, and future expectations. For example, ask about existing governance policies, incident response times, or skill gaps. These interviews provide qualitative data that complements technical discovery.
Perform Technical Discovery
Inventory all applications, servers, databases, storage, and network components. Use discovery tools (e.g., Google Cloud's Migrate for Compute Engine, or third-party tools like ServiceNow) to collect configuration data. Assess dependencies between applications and data flows. Measure network latency and bandwidth to the cloud region. Identify any compliance-sensitive data (PII, PHI). Document current security controls (firewalls, IAM, encryption). This step produces a detailed current-state architecture diagram.
Analyze Gaps and Score Maturity
Compare current-state findings against target maturity levels for each domain. For each domain, assign a maturity score (e.g., 1-5). For example, if the organization has no cloud budget, finance maturity is Level 1. If there is a central cloud team but no IaC, operations maturity is Level 2. Overall maturity is often the lowest score across domains (the weakest link). Document specific gaps, such as missing skills, lack of automation, or insufficient security controls.
Develop Roadmap and Recommendations
Based on gap analysis, create a prioritized action plan. Quick wins (e.g., enable cloud cost management tools) should be early items. Foundational projects (e.g., landing zone, IAM policies) come before migration of critical workloads. Include training plans, tool investments, and process changes. Assign owners and timelines. The roadmap should be reviewed and approved by executive sponsors. Reassess maturity annually to track progress.
Enterprise Scenario 1: Global Retailer Migration
A multinational retailer with 500+ on-premises applications wanted to migrate to Google Cloud. The readiness assessment revealed that their finance domain was at Level 1 (no cloud budget, no chargeback) while security was at Level 2 (basic IAM but no encryption at rest). The technology domain scored Level 3 (some microservices but mostly monolithic apps). The recommendation was to start with a pilot of 10 low-criticality applications, establish a cloud center of excellence, and implement basic cost governance. The landing zone was designed with shared VPC, centralized IAM, and Cloud Interconnect for hybrid connectivity. After six months, the pilot succeeded, and the organization advanced to Level 2 overall. The key lesson: addressing finance and governance gaps early prevented cost overruns later.
Enterprise Scenario 2: Healthcare Provider Compliance
A healthcare provider needed to move patient data to the cloud while maintaining HIPAA compliance. Their readiness assessment highlighted security and compliance as Level 2 (some policies but no automated enforcement). People skills were Level 1 (no cloud-trained staff). The recommended roadmap included: (a) training for all IT staff on Google Cloud security basics, (b) implementing VPC Service Controls and Data Loss Prevention API, (c) creating a compliance checklist for each workload. The first workload migrated was a non-patient-facing analytics platform. This allowed the team to learn without risking sensitive data. Over 18 months, they achieved Level 3 in security and compliance. The common pitfall was underestimating the time needed for training—they initially allocated 2 weeks, but needed 8 weeks.
Performance and Scale Considerations
In large enterprises, readiness assessments can take 4-8 weeks for a full enterprise scope. The number of applications can exceed 1,000, requiring automated discovery tools. Network assessments must consider bandwidth between on-premises and cloud, especially for data-intensive workloads. A common misconfiguration is assuming existing VPNs have sufficient capacity—many organizations find they need dedicated interconnect at 10 Gbps or higher. When misconfigured, assessments may miss critical dependencies, leading to migration failures (e.g., an app that depends on a legacy database not discovered). To avoid this, use dependency mapping tools and conduct thorough interviews with application owners.
What GCDL Tests (Objective 1.1)
The GCDL exam tests your understanding of the cloud maturity model and readiness assessment under the Digital Transformation domain, specifically objective 1.1: 'Analyze the capabilities and requirements for cloud adoption and transformation.' You must be able to:
Identify the stage of cloud maturity based on a description of an organization's practices.
Recommend appropriate next steps based on readiness assessment gaps.
Distinguish between the six readiness assessment domains (strategy, people, operations, security, technology, finance).
Understand that maturity is not always linear—organizations can regress.
Recognize that readiness assessments are periodic, not one-time.
Common Wrong Answers and Why
Choosing 'Optimized' for a company that has automated CI/CD but no cost tracking. Many candidates see automation and assume high maturity. But maturity is holistic—a single domain at low level drags overall maturity down. The exam expects you to consider all domains.
Recommending full migration to cloud for a company at Level 1 maturity. The correct answer is to start with a pilot or foundational projects. The exam tests that readiness gaps must be addressed before large-scale migration.
Confusing 'Managed' with 'Defined.' Managed means there is a central team but no standardized processes. Defined means processes are documented and enforced. The exam uses specific language: 'central team exists' = Managed; 'standard operating procedures documented' = Defined.
Assuming readiness assessment is a one-time activity. The correct understanding is that it should be repeated periodically (e.g., annually) as the organization evolves.
Specific Numbers and Terms That Appear
Maturity levels: 5 levels (1-5) or 4 levels (Tactical, Strategic, Transformational, Optimized in Google's model). The exam may use either numbering or names.
Readiness domains: Six domains as listed above. Memorize them.
Common readiness scores: 0-100% or Red/Amber/Green. Red (<40%) means foundational work needed; Amber (40-70%) means ready for pilot; Green (>70%) means ready for production migration.
Phrases to recognize: 'cloud center of excellence' = Managed level; 'landing zone' = Defined level; 'FinOps' = Quantitatively Managed; 'DevSecOps' = Optimizing.
Edge Cases and Exceptions
Regression: An organization may regress due to merger/acquisition, budget cuts, or loss of key staff. The exam may present a scenario where a company was at Level 3 but after a merger is back to Level 2. The correct answer is to reassess and address new gaps.
Not all domains need to be at same level: A company can be Level 4 in technology but Level 2 in finance. The overall maturity is the lowest level.
Readiness assessment vs. maturity model: Readiness assessment is the evaluation; maturity model is the framework used to score. The exam may ask which is used for benchmarking (answer: maturity model).
How to Eliminate Wrong Answers
If a question describes a company with no central cloud team, eliminate any answer that suggests advanced automation or optimization. The correct answer will be 'Initial' or 'Managed' at best.
If the question mentions 'no cloud budget,' the finance domain is at Level 1. Any answer that recommends migration of all workloads is wrong; the correct answer is to first establish budget and cost governance.
If the scenario includes 'standardized landing zone and IaC,' the maturity is at least 'Defined.' Eliminate 'Initial' or 'Managed.'
Use the 'weakest link' rule: overall maturity is determined by the lowest domain score. If one domain is weak, overall maturity cannot be high.
The cloud maturity model typically has 5 levels: Initial, Managed, Defined, Quantitatively Managed, Optimizing.
Readiness assessment covers six domains: Strategy, People, Operations, Security, Technology, Finance.
Overall maturity is determined by the lowest-scoring domain (weakest link).
Readiness scores below 40% indicate foundational work needed; 40-70% ready for pilot; above 70% ready for production migration.
Maturity can regress due to mergers, budget cuts, or loss of key staff; reassess periodically.
Google Cloud Adoption Framework uses four themes (Learn, Lead, Scale, Secure) and four levels (Tactical, Strategic, Transformational, Optimized).
Common exam phrase: 'central cloud team exists' = Managed level; 'standardized landing zone and IaC' = Defined level.
These come up on the exam all the time. Here's how to tell them apart.
Google Cloud Adoption Framework (GCAF)
Four themes: Learn, Lead, Scale, Secure
Four maturity levels: Tactical, Strategic, Transformational, Optimized
Focuses on Google Cloud-specific capabilities (e.g., Anthos, BigQuery)
Provides a readiness assessment tool (Cloud Maturity Assessment)
Integrates with Google Cloud's landing zone blueprint
AWS Cloud Adoption Framework (AWS CAF)
Six perspectives: Business, People, Governance, Platform, Security, Operations
Phased approach: Envision, Align, Launch, Scale
Focuses on AWS-specific services (e.g., EC2, S3, Lambda)
Provides AWS Cloud Adoption Readiness Tool (CART)
Integrates with AWS Landing Zone and Control Tower
Mistake
Maturity models are only for large enterprises.
Correct
Maturity models apply to organizations of any size. Small businesses can also progress from ad hoc to optimized. The stages are relative to the organization's scale; a small company at Level 3 may have simpler processes but still be considered 'Defined.'
Mistake
Once you reach Level 5, you stay there forever.
Correct
Maturity can regress due to changes like mergers, acquisitions, budget cuts, or loss of key personnel. Organizations should reassess periodically to ensure they maintain their level.
Mistake
Readiness assessment is the same as a maturity assessment.
Correct
Readiness assessment evaluates preparedness before adoption; maturity assessment measures current state during or after adoption. Readiness is a snapshot; maturity is a stage in a journey.
Mistake
All domains must be at the same maturity level.
Correct
Domains often progress at different rates. A company may have advanced technology but poor governance. The overall maturity is typically the lowest level across domains.
Mistake
Lift-and-shift migration is always a sign of low maturity.
Correct
Lift-and-shift can be a valid strategy even at higher maturity if it meets business goals (e.g., rapid data center exit). The maturity level is determined by how it is executed (e.g., with automation, security, and cost management).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A cloud maturity model is a framework that defines progressive stages of cloud adoption (e.g., Initial to Optimized). A readiness assessment evaluates an organization's current capabilities against those stages to identify gaps. Think of the maturity model as the ruler and the readiness assessment as the measurement. On the exam, you might be asked to recommend a maturity model for benchmarking (answer: maturity model) or an assessment to identify gaps (answer: readiness assessment).
Six domains: Strategy & Governance, People & Skills, Operations & Processes, Security & Compliance, Technology & Architecture, and Finance & Procurement. The GCDL exam expects you to recognize these categories. For example, a question about 'lack of cloud budget' falls under Finance domain; 'no training plan' falls under People domain.
While it's possible to advance quickly, skipping levels often leads to instability. For instance, jumping from Initial to Optimized without establishing governance (Managed) or standardization (Defined) typically results in security gaps and cost overruns. The exam emphasizes that maturity progression is typically sequential, though some organizations may accelerate by adopting best practices from the start.
The overall maturity of an organization is determined by the lowest maturity level across all domains. For example, if technology is at Level 4 but finance is at Level 1, the overall maturity is Level 1. This rule appears in exam scenarios: a company with advanced automation but no cost management is not considered mature. Always identify the weakest domain.
Readiness assessments should be performed periodically, typically annually or when significant changes occur (e.g., merger, new compliance requirements). The exam may present a scenario where a company has not reassessed in three years; the correct answer is to recommend a new assessment before proceeding with migration.
Quick wins are low-effort, high-impact actions that build momentum. Examples include enabling cloud cost management tools, implementing tagging standards, providing basic cloud training, and setting up a centralized logging solution. These are often recommended in the 'Managed' stage before tackling complex migrations.
GCAF uses four themes (Learn, Lead, Scale, Secure) and four maturity levels (Tactical, Strategic, Transformational, Optimized). It is tailored to Google Cloud services like Anthos and BigQuery. Compared to AWS CAF (six perspectives) or MS CAF (five disciplines), GCAF is simpler but still covers the essential domains. The exam may reference GCAF specifically, so know its structure.
You've just covered Cloud Maturity Model and Readiness Assessment — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?